Vulnerabilities / Threats
10:13 AM

Adobe Reader, Acrobat Under Attack

Cue the security fatigue: Zero-day attacks target Adobe Reader and Acrobat, Adobe pushes second Flash patch, Microsoft fixes 57 flaws.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Zero-day vulnerabilities in the most recent versions of Adobe Reader and Acrobat are being actively exploited by attackers, who are emailing malicious PDFs to targets to remotely compromise their PCs.

That warning comes from researchers at security firm FireEye, which said it's provided copies of the exploit code to Adobe. "A PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," according to a security warning posted Tuesday by FireEye. "Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain."

Adobe said it's investigating the alleged zero-day bugs. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild," according to a brief Adobe vulnerability report released Tuesday. "We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information."

[ Can the government help with cybersecurity? Read White House Cybersecurity Executive Order: What It Means. ]

No additional details about the zero-day vulnerabilities have been publicly released, and it's not clear if the bugs allow attackers to bypass the sandbox built into Reader and Acrobat. But until the vulnerability gets patched, FireEye recommended that users avoid opening any PDF files of unknown origin.

Adobe Tuesday also patched known Flash Player vulnerabilities in Shockwave Player, Flash Player, and Adobe AIR, by releasing updates for Windows, Mac OS X, Linux and Android. That marked the second time in less than a week that Adobe, which normally only releases quarterly patch updates, released "out of band" patches to mitigate in-the-wild exploits of bugs in its products. In addition, Oracle still plans to release further patches on February 19.

In other words, 2013 is already turning out to be a banner year for bug spotting. For starters, new flaws recently surfaced not just in Flash and Adobe Reader and Acrobat, but also Internet Explorer and Java.

Microsoft Tuesday patched 57 vulnerabilities in its products, as part of its regularly scheduled, monthly patch release, and many of the bugs have been labeled as critical. "[The] critical vulnerabilities all potentially enable remote code execution, as does the SharePoint server related bulletin rated 'important' this month," said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, in a blog post. "The other vulnerabilities enable elevation of privilege and denial of service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited."

Many security experts are advising security managers to prioritize the Internet Explorer patch, which fixes 13 vulnerabilities -- privately reported to Microsoft and not yet detailed publicly -- which attackers could use to remotely exploit code on vulnerable machines. "Despite the bugs being privately disclosed, Microsoft is warning that exploitation in the wild is imminent," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Indeed, expect attackers to be working overtime to reverse-engineer the patches, which would allow them to craft attacks that exploit Windows PCs that haven't been patched.

One critical Microsoft patch addresses flaws in the Windows media codec, which could be exploited by crafting a malicious media file. Another fix targets vulnerabilities in the RTF file format that could be exploited by crafting a malicious RTF file, which if opened in Microsoft Word or WordPad would allow an attacker to compromise the PC. "Microsoft warns that this is likely to be exploited in the wild within 30 days," said Ducklin.

While those vulnerabilities affect clients, another critical vulnerability exists on Microsoft Exchange servers with Oracle's Outside In technology. The vulnerabilities could be exploited by attackers to remotely compromise the server or create a denial of service.

Security researchers have also published further details of the bugs that were patched last week in Adobe's Flash Player. According to a blog post from Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov, the vulnerabilities (designated CVE-2013-0633) are being actively exploited by "so-called 'legal' surveillance malware created by the Italian company HackingTeam." The Italian company's surveillance software is called RCS (Remote Control System), aka DaVinci, and has been used "against human rights activists and political dissidents from Africa, South America and the Middle East," according to the researchers.

The Kaspersky Lab researchers said they cataloged six different ways that RCS has been installed on targets' computers, and four of them employ zero-day vulnerabilities. "Interestingly ... two of the 0-days appear to have been created by the French offensive security company Vupen," said the researchers. "The link was also previously pointed out by Citizen Lab's report, which says it's unclear if the exploits used with HackingTeam's malware have been purchased from Vupen, or just engineered in parallel."

Chaouki Bekrar, CEO and head of research for Vupen, dismissed as "defamatory allegations and unproven claims" the Kaspersky Lab suggestion that his company may have sold the zero-day vulnerabilities to HackingTeam. "We did not develop nor sell any of these exploits," Bekrar said via email. "In the vulnerability research field, it often happens that many unlinked researchers, groups or companies work on similar flaws or exploits without knowledge of the others, we call this vulnerability overlaps and it's very common and usual."

Note: Story updated to correct error in number of flaws fixed.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/13/2013 | 7:47:26 PM
re: Adobe Reader, Acrobat Under Attack
It will be interesting to see if there's a sandbox bypass here in this new exploit.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.